mm: fix fault vs invalidate race for linear mappings

Fix the race between invalidate_inode_pages and do_no_page.

Andrea Arcangeli identified a subtle race between invalidation of pages from
pagecache with userspace mappings, and do_no_page.

The issue is that invalidation has to shoot down all mappings to the page,
before it can be discarded from the pagecache.  Between shooting down ptes to
a particular page, and actually dropping the struct page from the pagecache,
do_no_page from any process might fault on that page and establish a new
mapping to the page just before it gets discarded from the pagecache.

The most common case where such invalidation is used is in file truncation.
This case was catered for by doing a sort of open-coded seqlock between the
file's i_size, and its truncate_count.

Truncation will decrease i_size, then increment truncate_count before
unmapping userspace pages; do_no_page will read truncate_count, then find the
page if it is within i_size, and then check truncate_count under the page
table lock and back out and retry if it had subsequently been changed (ptl
will serialise against unmapping, and ensure a potentially updated
truncate_count is actually visible).

Complexity and documentation issues aside, the locking protocol fails in the
case where we would like to invalidate pagecache inside i_size.  do_no_page
can come in anytime and filemap_nopage is not aware of the invalidation in
progress (as it is when it is outside i_size).  The end result is that
dangling (->mapping == NULL) pages that appear to be from a particular file
may be mapped into userspace with nonsense data.  Valid mappings to the same
place will see a different page.

Andrea implemented two working fixes, one using a real seqlock, another using
a page->flags bit.  He also proposed using the page lock in do_no_page, but
that was initially considered too heavyweight.  However, it is not a global or
per-file lock, and the page cacheline is modified in do_no_page to increment
_count and _mapcount anyway, so a further modification should not be a large
performance hit.  Scalability is not an issue.

This patch implements this latter approach.  ->nopage implementations return
with the page locked if it is possible for their underlying file to be
invalidated (in that case, they must set a special vm_flags bit to indicate
so).  do_no_page only unlocks the page after setting up the mapping
completely.  invalidation is excluded because it holds the page lock during
invalidation of each page (and ensures that the page is not mapped while
holding the lock).

This also allows significant simplifications in do_no_page, because we have
the page locked in the right place in the pagecache from the start.

Signed-off-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 20 insertions, 33 deletions

diff --git a/mm/filemap.c b/mm/filemap.c
index 5d5449f3d41c..462cda58a18e 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -1325,9 +1325,10 @@ struct page *filemap_nopage(struct vm_area_struct *area,
         unsigned long size, pgoff;
         int did_readaround = 0, majmin = VM_FAULT_MINOR;
 
+        BUG_ON(!(area->vm_flags & VM_CAN_INVALIDATE));
+
         pgoff = ((address-area->vm_start) >> PAGE_CACHE_SHIFT) + area->vm_pgoff;
 
-retry_all:
         size = (i_size_read(inode) + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
         if (pgoff >= size)
                 goto outside_data_content;
@@ -1349,7 +1350,7 @@ retry_all:
          * Do we have something in the page cache already?
          */
 retry_find:
-        page = find_get_page(mapping, pgoff);
+        page = find_lock_page(mapping, pgoff);
         if (!page) {
                 unsigned long ra_pages;
 
@@ -1383,7 +1384,7 @@ retry_find:
                                 start = pgoff - ra_pages / 2;
                         do_page_cache_readahead(mapping, file, start, ra_pages);
                 }
-                page = find_get_page(mapping, pgoff);
+                page = find_lock_page(mapping, pgoff);
                 if (!page)
                         goto no_cached_page;
         }
@@ -1392,13 +1393,19 @@ retry_find:
                 ra->mmap_hit++;
 
         /*
-         * Ok, found a page in the page cache, now we need to check
-         * that it's up-to-date.
+         * We have a locked page in the page cache, now we need to check
+         * that it's up-to-date. If not, it is going to be due to an error.
          */
-        if (!PageUptodate(page))
+        if (unlikely(!PageUptodate(page)))
                 goto page_not_uptodate;
 
-success:
+        /* Must recheck i_size under page lock */
+        size = (i_size_read(inode) + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
+        if (unlikely(pgoff >= size)) {
+                unlock_page(page);
+                goto outside_data_content;
+        }
+
         /*
          * Found the page and have a reference on it.
          */
@@ -1440,6 +1447,7 @@ no_cached_page:
         return NOPAGE_SIGBUS;
 
 page_not_uptodate:
+        /* IO error path */
         if (!did_readaround) {
                 majmin = VM_FAULT_MAJOR;
                 count_vm_event(PGMAJFAULT);
@@ -1451,37 +1459,15 @@ page_not_uptodate:
          * because there really aren't any performance issues here
          * and we need to check for errors.
          */
-        lock_page(page);
-
-        /* Somebody truncated the page on us? */
-        if (!page->mapping) {
-                unlock_page(page);
-                page_cache_release(page);
-                goto retry_all;
-        }
-
-        /* Somebody else successfully read it in? */
-        if (PageUptodate(page)) {
-                unlock_page(page);
-                goto success;
-        }
         ClearPageError(page);
         error = mapping->a_ops->readpage(file, page);
-        if (!error) {
-                wait_on_page_locked(page);
-                if (PageUptodate(page))
-                        goto success;
-        } else if (error == AOP_TRUNCATED_PAGE) {
-                page_cache_release(page);
+        page_cache_release(page);
+
+        if (!error || error == AOP_TRUNCATED_PAGE)
                 goto retry_find;
-        }
 
-        /*
-         * Things didn't work out. Return zero to tell the
-         * mm layer so, possibly freeing the page cache page first.
-         */
+        /* Things didn't work out. Return zero to tell the mm layer so. */
         shrink_readahead_size_eio(file, ra);
-        page_cache_release(page);
         return NOPAGE_SIGBUS;
 }
 EXPORT_SYMBOL(filemap_nopage);
@@ -1674,6 +1660,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma)
                 return -ENOEXEC;
         file_accessed(file);
         vma->vm_ops = &generic_file_vm_ops;
+        vma->vm_flags |= VM_CAN_INVALIDATE;
         return 0;
 }